Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS Authorization Required

This thread has been viewed 30 times

  • 1.  EAP-TLS Authorization Required

    Posted Mar 21, 2017 02:19 PM

    I've been looking through the forums and from what I can understand, the "Authorization Required" option in the "Edit Authentication Method" box is to compare the Username in the certificate agianst AD. Is this correct?  Does this add additional security? What is a good use case for this?


    Also, I've tried to enable it and when I do, I get an error in the logs saying that the user can't be found. When I uncheck/disable it, it authenticates just fine. Trying to fiure out what might be the issue.



  • 2.  RE: EAP-TLS Authorization Required

    EMPLOYEE
    Posted Mar 21, 2017 02:22 PM
    EAP-TLS essentially has it’s own authorization as part of the Authentication phase, then it moves onto traditional authorization. If you’re receiving an error, it’s likely that you need to compare a different field or username format.

    Please post screenshots of the alert and summary tabs from access tracker.


  • 3.  RE: EAP-TLS Authorization Required

    Posted Mar 21, 2017 02:29 PM

    Thanks Tim for the info.


    Please see the errors/logs attached.



  • 4.  RE: EAP-TLS Authorization Required

    EMPLOYEE
    Posted Mar 21, 2017 02:32 PM

    Is your AD auth source configured for both sAMAccountName and userPrincipalName?



  • 5.  RE: EAP-TLS Authorization Required

    Posted Mar 21, 2017 02:38 PM
      |   view attached

    It looks to be just sAMAccountName. But I don't know much about setting up attributes. I've attached what I beleive you are asking for. If I need to add userPrincipalName, is this done in the "Filter Query" under the Filter Name...which we have labeled "Authentication"? And is it either or? Or both? ...like both sAMAccountName and userPrincipalName? Thanks!



  • 6.  RE: EAP-TLS Authorization Required
    Best Answer

    EMPLOYEE
    Posted Mar 21, 2017 02:43 PM

    First confirm in AD that the username presented is indeed the user's UPN.

     

    If you want to support both username formats, replace your Authentication filter query with:

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

    Ideally, you should choose one username format from a user experience standpoint. Fully qualified username (UPN) is always my recommendation these days.



  • 7.  RE: EAP-TLS Authorization Required

    Posted Mar 21, 2017 03:39 PM

    If you have enabled Username strip in the 802.1x service, please disable and try EAP TLS authentication with authorization enabled. Also, please make sure that you have added the correct AD authentication source in the 802.1x service.



  • 8.  RE: EAP-TLS Authorization Required

    Posted Mar 21, 2017 04:40 PM

    This worked! Thanks for the help! 



  • 9.  RE: EAP-TLS Authorization Required

    Posted Feb 17, 2020 09:15 AM

    Anybody had any issues with this query syntax when using CPPM 6.8?

     

    I've used this syntax for years, yet 6.8 seems not to like it for some reason? When trying it in an auth source for example, it says it can't parse the filter?